A cyberattack that targeted a number of countries, in particular Iran, has presented users with an American flag and a message in English reading, “Don’t mess with our elections.”

The attack, which at least according to the Iranian government took place Friday night, is said to have infiltrated 200,000 routers worldwide, including 3,500 in the Islamic republic. The country said in a statement reported by Reuters that the attack hit internet service providers and cut off web access for subscribers, although no data is claimed to have been stolen.

The vulnerability believed to have been used for the attacks is a “protocol misuse” issue in the Cisco Smart Install Client. It was revealed by Cisco in February last year but recently discussed in a blog post by Cisco Systems Inc. April 5.

In that blog post, Nick Biasini, a threat researcher at Cisco’s Talos Security Intelligence and Research Group notes that the company has recently become aware of “specific advanced actors” targeting Cisco switches using the issue.

“The Cisco Smart Install protocol can be abused to modify the TFTP server setting, exfiltrate configuration files via TFTP, modify the configuration file, replace the IOS image and set up accounts, allowing for the execution of IOS commands,” Biasini wrote. “Although this is not a vulnerability in the classic sense, the misuse of this protocol is an attack vector that should be mitigated immediately.”

The Smart Install protocol is described as a legacy solution that may no longer be required. Cisco simply suggested that customers should remove it where it is not being used, or in the event that it is required, restrict access to the service via an access control list.

Despite the use of an American flag on the infected systems, it’s not yet certain that the attack actually had a political motivation. Phil Neray, vice president of Industrial Cybersecurity for CyberX Inc., told SiliconANGLE that the timing is interesting.

“Two weeks ago, the U.S. Cyber Command published a bold vision document describing ‘continuous engagement’ to ‘persistently contest malicious cyberspace actors,’” Neray said. “Last week, Cisco Talos issued a blog post stating that U.S. critical infrastructure was being targeted by Dragonfly — a group of Russian nation-state hackers also identified in the recent FBI/DHS alert – who were exploiting the same Smart Install bug in Cisco routers.”

Neray posed the obvious question: “Could this breach of Iran’s data centers be the first example of this new and more active approach by the U.S. Cyber Command — or is it a false flag operation by a malicious group?”

Photo: U.S. Air Force